Dr. Bob, the group’s compliance officer, has HIPAA on his mind almost all the time, that is, when he’s not thinking about coding or Stark or the federal Anti-Kickback Statute.
So he made sure that his notebook computer’s disk drive was encrypted. And, at the end of the computer’s useful life, he took care to permanently erase the drive. He then arranged for a vendor to come onsite to remove and physicially destroy the disk.
The point, of course, was to eliminate the possiblity that any Protected Health Information (“PHI”) could be improperly disclosed.
After all, Dr. Bob was familiar with the errors made by other “Covered Entities” under HIPAA, such as the VA, that tossed out computers willy nilly, exposing patients’ individually identifiable health information.
Dr. Bob decided to call it a day. As he walked out of the office, he noticed the new copier that had been delivered earlier that day. Great, he thought; the old one jammed almost every time he used it.
At midnight, Dr. Bob bolted up from his slumber. “What the &*&$^ happened to the old copier?????”
When most physicians and healthcare administrators think about electronic PHI, the default focus is on computers. After all, computers store information and that information might constitute PHI.
But PHI lurks in the strangest places in a physician’s office, in billing and collection departments (both in-house and outsourced), and in healthcare facilities of all sorts. Like on the copier that just caused Bob to wonder whether there’s been a major PHI breach.
Modern office machines, from copiers to printers to maybe even label makers have memory devices, and those devices may be chock full of PHI.
In similar manner, electronic medical equipment used for diagnosis or treatment can also possess memory that stores PHI, especially as those devices have been made “smarter” in order to communicate with electronic health record systems.
The memory in those devices must be considered and treated in the very same manner as the memory in computers. It must be protected and it must be destroyed when no longer in use, not just hauled away by a vendor or a manufacturer (who may or may not have been treated as a HIPAA Business Associate by the practice or facility – big mistake!) or tossed into the city dump or even the city recycling program.
If not, it can find its way into the wrong hands and land you in a world of trouble, both in terms of HIPAA and related HITECH Act requirements and in terms of what that information may reveal in respect of your other compliance issues.
People are afraid of being replaced by machines in the future, but they don’t spend much time thinking that their just-replaced multi-function printer/scanner/copier may be ratting them out today.
